Re: Split zone DNS?
Yupp use unbound it's great On July 28, 2017 4:47:53 PM GMT+02:00, Liviu Daia wrote: >On 28 July 2017, Steve Williams wrote: >> Hi, >> >> I recently upgraded to 6.1 and am trying to (finally, after many >OpenBSD >> versions over 10 years) fine tune my home network. >> >> I would like to run a local resolver on my internal network that will >> resolve all my hosts on my local network to IP addresses on my local >> network(s) rather than resolving to their public IP addresses. >> >> I believe it's called a "split zone" DNS, where my domain is resolved >> locally, but everyone else is resolved using normal resolution >processes. >> >> I set this up at one of my previous jobs using BIND, but that was 7 >years >> ago. I've never gone to the trouble of doing it at home, but I would >like >> to exercise my brain a bit as well as having my home network set up >> "better". >> >> What is the best tool to accomplish this these days? Is NSD the >"modern" >> tool to be using on OpenBSD? >> >> Are there any hooks for dhcpd to update records? >> >> I've read the NSD(8), nsd.conf(5) man pages and that seems to be the >way to >> go, but I thought I'd check the wisdom here to see if there is a >better >> approach. > >unbound(8) probably does exactly what you want. It's mainly a >recursive resoler, but it can also answer authoritatively for "local" >zones, or simply override addresses for given hosts (think anti-spam). >Unless you also want to answer queries for your domain comming from the >Internet, you don't need a separate authoritative server. > >Regards, > >Liviu Daia -- Take Care Sincerely flipchan layerprox dev
Re: Split zone DNS?
On 2017-07-31, Kenneth Gober wrote: > It's not totally clear whether > it's even possible using nsd/unbound and the base dhcpd, but what I've > seen indicates that it is not. It could be done with some helper software to read the lease db and convert to a zone file, or by reading logs and constructing unbound-control commands to add/remove entries. There's nothing pre-written afaik. > So, what I am doing instead is I'm using isc-dhcp-server and isc-bind > (from packages). dnsmasq would be another option here.
Re: Split zone DNS?
On Fri, Jul 28, 2017 at 9:58 AM, Steve Williams wrote: > I would like to run a local resolver on my internal network that will > resolve all my hosts on my local network to IP addresses on my local > network(s) rather than resolving to their public IP addresses. > > What is the best tool to accomplish this these days? Is NSD the "modern" > tool to be using on OpenBSD? > > Are there any hooks for dhcpd to update records? I have found the readily available documentation unclear on how to handle dynamic DNS updates when DHCP is in use. The advice I've seen has basically been either to not bother, or to have DHCP assign fixed addresses (i.e. don't do dynamic DNS). It's not totally clear whether it's even possible using nsd/unbound and the base dhcpd, but what I've seen indicates that it is not. So, what I am doing instead is I'm using isc-dhcp-server and isc-bind (from packages). Note that I provide DNS/DHCP service on my internal network only (I do not provide any DNS name resolution of any kind on my Internet-facing interfaces) so it's not really "split-horizon". If I were to provide split-horizon DNS I would probably use two separate machines, one providing internal service (using isc-dhcp-server and isc-bind) and another providing external service (using nsd). -ken
Re: Split zone DNS?
On 29/07/17 12:04, Craig Skinner wrote: What is the best tool to accomplish this these days? Is NSD the "modern" tool to be using on OpenBSD? When OpenBSD changed from BIND to NSD & Unbound, I found it simpler to serve the private domain '.internal' on the LAN;- An alternative is to use a subdomain (like "internal.example.org") for your LAN, and let the authoritative nameserver delegate the authority on that subdomain to your local nameserver. -- Étienne
Re: Split zone DNS?
On Fri, 28 Jul 2017 07:58:25 -0600 Steve Williams wrote: > > I would like to run a local resolver on my internal network that will > resolve all my hosts on my local network to IP addresses on my local > network(s) rather than resolving to their public IP addresses. > > I believe it's called a "split zone" DNS, where my domain is resolved > locally, but everyone else is resolved using normal resolution > processes. > Yes Steve. A split horizon DNS zone is where different data is served for the same zone above & below the horizon (a gateway between the Internet & LAN). So hosts like printer.example.not.uk resolve internally only. In the dark, below the public light of the sun's horizon. Also hosts like mail.example.not.uk have a private LAN IP address internally, and have a pubic IP address when queried from the Internet. (which is like poisoning the internal edition of the zone.) > I set this up at one of my previous jobs using BIND, but that was 7 > years ago. I've never gone to the trouble of doing it at home, but I > would like to exercise my brain a bit as well as having my home > network set up "better". > Yes, I used to operate BIND as a split horizon server on OpenBSD too. > What is the best tool to accomplish this these days? Is NSD the > "modern" tool to be using on OpenBSD? > When OpenBSD changed from BIND to NSD & Unbound, I found it simpler to serve the private domain '.internal' on the LAN;- To serve a split horizon zone, there needs to be 2 NSD daemons, serving different zone files. Either on different machines, or different ports. Or,... Unbound can serve data for simple private zones, while leaving NSD to serve public zones. Unbound can stub (i.e. proxy) zones from NSD served zone files. This thread is a couple of years old, but could help you get going: http://marc.info/?l=openbsd-misc&m=141113669300630&w=2 A master NSD server can notify a slave NSD server, which will auto transfer the zone & serve new data when the zone is updated. So I have 2 NSD servers on my LAN, which 2 Unbound resolvers stub their .internal domain from. (No need to cron rdist unbound.conf files between servers & restart unbound.) I can shutdown & upgrade 1 gateway machine, while everything on the LAN keeps working as normal. For internal domain name thoughts, see: http://marc.info/?l=openbsd-misc&m=145639578710637&w=2 Cheers, -- Craig Skinner | http://twitter.com/Craig_Skinner | http://linkd.in/yGqkv7
Re: Split zone DNS?
Hi, Thanks for the feedback everyone! I'll be looking at unbound and seeing if I need nsd or not. Have a great weekend! Cheers, Steve On 28/07/2017 7:58 AM, Steve Williams wrote: Hi, I recently upgraded to 6.1 and am trying to (finally, after many OpenBSD versions over 10 years) fine tune my home network. I would like to run a local resolver on my internal network that will resolve all my hosts on my local network to IP addresses on my local network(s) rather than resolving to their public IP addresses. I believe it's called a "split zone" DNS, where my domain is resolved locally, but everyone else is resolved using normal resolution processes. I set this up at one of my previous jobs using BIND, but that was 7 years ago. I've never gone to the trouble of doing it at home, but I would like to exercise my brain a bit as well as having my home network set up "better". What is the best tool to accomplish this these days? Is NSD the "modern" tool to be using on OpenBSD? Are there any hooks for dhcpd to update records? I've read the NSD(8), nsd.conf(5) man pages and that seems to be the way to go, but I thought I'd check the wisdom here to see if there is a better approach. Thanks, Steve Williams
Re: Split zone DNS?
On 28 July 2017, Steve Williams wrote: > Hi, > > I recently upgraded to 6.1 and am trying to (finally, after many OpenBSD > versions over 10 years) fine tune my home network. > > I would like to run a local resolver on my internal network that will > resolve all my hosts on my local network to IP addresses on my local > network(s) rather than resolving to their public IP addresses. > > I believe it's called a "split zone" DNS, where my domain is resolved > locally, but everyone else is resolved using normal resolution processes. > > I set this up at one of my previous jobs using BIND, but that was 7 years > ago. I've never gone to the trouble of doing it at home, but I would like > to exercise my brain a bit as well as having my home network set up > "better". > > What is the best tool to accomplish this these days? Is NSD the "modern" > tool to be using on OpenBSD? > > Are there any hooks for dhcpd to update records? > > I've read the NSD(8), nsd.conf(5) man pages and that seems to be the way to > go, but I thought I'd check the wisdom here to see if there is a better > approach. unbound(8) probably does exactly what you want. It's mainly a recursive resoler, but it can also answer authoritatively for "local" zones, or simply override addresses for given hosts (think anti-spam). Unless you also want to answer queries for your domain comming from the Internet, you don't need a separate authoritative server. Regards, Liviu Daia
Re: Split zone DNS?
Hi, In large scenarios, they might have an advantage in having the same domain inside and outside, which is when accessing services behind NAT addresses, you can serve the private address internally. In that way, you do not need to go to firewall and back to the private network to translate that NAT. Regards On 28 July 2017 at 15:23, Claer wrote: > On Fri, Jul 28 2017 at 58:07, Steve Williams wrote: > > Hi, > Hello, > > > I recently upgraded to 6.1 and am trying to (finally, after many OpenBSD > > versions over 10 years) fine tune my home network. > > > > I would like to run a local resolver on my internal network that will > > resolve all my hosts on my local network to IP addresses on my local > > network(s) rather than resolving to their public IP addresses. > > > > I believe it's called a "split zone" DNS, where my domain is resolved > > locally, but everyone else is resolved using normal resolution processes. > > > > I set this up at one of my previous jobs using BIND, but that was 7 years > > ago. I've never gone to the trouble of doing it at home, but I would > like > > to exercise my brain a bit as well as having my home network set up > > "better". > > > > What is the best tool to accomplish this these days? Is NSD the "modern" > > tool to be using on OpenBSD? > I went for nsd for external domain informations and Unbound for local > cache and local resolutions override. > > bind was a DNS resolver and a forwarder at the same time. If you want > both options, you need to setup NSD and Unbound. > > Unbound alone can do the trick for few records, but I found it easier to > have a dedicated resolver in case I wanted to sync zones with a slave. > > > Are there any hooks for dhcpd to update records? > Dunno, I use static MAC - IP mapping. > > > I've read the NSD(8), nsd.conf(5) man pages and that seems to be the way > to > > go, but I thought I'd check the wisdom here to see if there is a better > > approach. > As said, just pay attention that nsd is a resolver only. > > > Thanks, > > Steve Williams > > Nowadays, I try to avoid using the same domain for internal and > external. From my ops point of view, having a domain.local and a > domain.ext is easier to maintain. > > > Regards, > > Claer > > -- Regards, -- Rui Ribeiro Senior Linux Architect and Network Administrator ISCTE-IUL https://www.linkedin.com/pub/rui-ribeiro/16/ab8/434
Re: Split zone DNS?
On Fri, Jul 28 2017 at 58:07, Steve Williams wrote: > Hi, Hello, > I recently upgraded to 6.1 and am trying to (finally, after many OpenBSD > versions over 10 years) fine tune my home network. > > I would like to run a local resolver on my internal network that will > resolve all my hosts on my local network to IP addresses on my local > network(s) rather than resolving to their public IP addresses. > > I believe it's called a "split zone" DNS, where my domain is resolved > locally, but everyone else is resolved using normal resolution processes. > > I set this up at one of my previous jobs using BIND, but that was 7 years > ago. I've never gone to the trouble of doing it at home, but I would like > to exercise my brain a bit as well as having my home network set up > "better". > > What is the best tool to accomplish this these days? Is NSD the "modern" > tool to be using on OpenBSD? I went for nsd for external domain informations and Unbound for local cache and local resolutions override. bind was a DNS resolver and a forwarder at the same time. If you want both options, you need to setup NSD and Unbound. Unbound alone can do the trick for few records, but I found it easier to have a dedicated resolver in case I wanted to sync zones with a slave. > Are there any hooks for dhcpd to update records? Dunno, I use static MAC - IP mapping. > I've read the NSD(8), nsd.conf(5) man pages and that seems to be the way to > go, but I thought I'd check the wisdom here to see if there is a better > approach. As said, just pay attention that nsd is a resolver only. > Thanks, > Steve Williams Nowadays, I try to avoid using the same domain for internal and external. From my ops point of view, having a domain.local and a domain.ext is easier to maintain. Regards, Claer
Split zone DNS?
Hi, I recently upgraded to 6.1 and am trying to (finally, after many OpenBSD versions over 10 years) fine tune my home network. I would like to run a local resolver on my internal network that will resolve all my hosts on my local network to IP addresses on my local network(s) rather than resolving to their public IP addresses. I believe it's called a "split zone" DNS, where my domain is resolved locally, but everyone else is resolved using normal resolution processes. I set this up at one of my previous jobs using BIND, but that was 7 years ago. I've never gone to the trouble of doing it at home, but I would like to exercise my brain a bit as well as having my home network set up "better". What is the best tool to accomplish this these days? Is NSD the "modern" tool to be using on OpenBSD? Are there any hooks for dhcpd to update records? I've read the NSD(8), nsd.conf(5) man pages and that seems to be the way to go, but I thought I'd check the wisdom here to see if there is a better approach. Thanks, Steve Williams